The topic of lifestreams comes up again - and the folly
of file names. I guess it's time to try and implement a
metadata-based filing system and build a groupware server
around it. Groupware is Internet-wide communications writ
small, and a good place to start.

Trusted third party authentication (Kerberos-like). User
need not trust service and vice versa - instead, they
negotiate use of an aauthentication server they both trust.
Ideally, we don't want to entirely trust any one
authentication server, or perhaps even any one
authentication service provider, but this is deep magic to me.

Users and services generate their own public keys, a la
PGP. Paying a CA just to have a key is not on - paying for
one to trust your key may be. Especially a CA that actually
looks at you, takes photos, affidavits and skin samples, and
will then commit to an authentication reliability guarantee
which high-security applications will require

We'll need to be able to implement a client on a smart card.

We'll need to implement a client in IE and Mozilla somehow.

We'll need to do it all fast, before Microsoft and AOL
take over

Pluggable encryption schemes would be nice. Ideally the
encryption scheme would be implemented in a portable
bytecode of some kind. Crypto codec could possibly be
negotiable between client, server and authenticator. The
service protocols will probably be more vulnerable than the
encryption algorithms, so this may not really be
cost-effective, but it's worth thinking about.

Yes, beating HailStorm (or providing a reasonably
widely-accepted alternative to it) is more important then
being able to run .NET software. It's going to be hard to
get right, but much, much harder to get accepted - and
religious dogma will not help us sell the damn thing to
service providers and users. Openness will help, but Jabber
is not killing of AOL IM or MSNM. Price will help somewhat.

The FSF have put forward
dotgnu.org as a
contender to fit the Passport-shaped gap in Ximian's Mono
initiative. I'm initially unconvinced. Their project is too
unfocused - it portrays itself as a total .NET replacement -
and too religious to gather enough mindshare to succeed.

>What do you guys think of Microsoft's .Net and
Hailstorm efforts?

>Dangerous stuff. It is often said that the price of
freedom is eternal vigilance. Unless we counter them,
Microsoft's efforts are not only a threat to Free Software,
they are also extremely dangerous tools in the hands of any
Evil Government that wants to make their citizens unfree.

These are not the words of a project with its eye on the
ball - producing a working, reliable, secure authentication
service for a hostile Net and a license-apathetic gaggle of
web hackers.

Passport is Microsoft's bid to operate the master
password database for every Web site and service. They've
got a shot at grabbing a large number of subscribing sites
because the current Web authentication solution involves
thousands of different password databases to administer and
support, and thousands of passwords for a user to remember.

I don't think they can do it right.

Those Terms of Service are an abomination

Insufficient paranoia is endemic within MS product groups

The protocols are closed, resulting in vendor lock-in

The protocols are closed, resulting in insufficient peer
review of what is potentially the most used crypto since DES.

AOL are their only credible current threat. They have a
slightly better security record, but the other problems are
much the same.

I don't want to trust either of them. We cannot allow
Microsoft or AOL to dominate Web-wide authentication.